cbrand/ps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5c5bde9244
ps/Modules/Alkami.DevOps.SystemEngineering/Public/Update-AWSProfile.ps1
jcolebrand c34cead304 First full commit
2023-05-30 22:51:22 -07:00

120 lines
4.1 KiB
PowerShell
Raw Blame History

function Update-AWSProfile {
<#
.SYNOPSIS
Update AWS Profile credentials file with temporary assumed role credentials.
.DESCRIPTION
Update AWS Profile credentials file with temporary assumed role credentials.
.PARAMETER Profile
[string] The AWS profile name to update.
.PARAMETER MfaCode
[string] The MFA code from the AWS-associated MFA device. If not provided, will be prompted to enter.
.PARAMETER SessionDurationSeconds
[uint16] The session duration in seconds for the temporary assumed role. Valid values are 900 seconds (15 minutes) to 43200 seconds (12 hours).
If not provided, will default to 43200.
.EXAMPLE
Update-AWSProfile -Profile 'Prod'
.EXAMPLE
Update-AWSProfile -Profile 'Prod' -MfaCode '123456'
#>
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string]$Profile,
[Parameter(Mandatory = $false)]
[ValidateNotNullOrEmpty()]
[string]$MfaCode = $null,
[Parameter(Mandatory = $false)]
[ValidateRange(900, 43200)]
[uint16]$SessionDurationSeconds = 43200
)
$logLead = (Get-LogLeadName)
$tempProfile = "temp-" + $Profile.ToLower()
$helpUrl = 'https://confluence.alkami.com/x/hrMHB'
Import-AWSModule
try {
Get-STSCallerIdentity -ProfileName $tempProfile | Out-Null
Write-Verbose "$logLead : Credentials for profile [$tempProfile] are still valid; exiting."
return
} catch {
Write-Verbose "$logLead : No valid credentials associated with profile [$tempProfile]; proceeding"
}
$profileLocation = ( Get-AWSCredential -ListProfileDetail | Where-Object { $_.ProfileName -eq 'default' } | Select-Object -First 1 ).ProfileLocation
if ( [string]::IsNullOrEmpty( $profileLocation ) ) {
Write-Error "$logLead : Unable to locate default profile location. Check your configuration per [$helpUrl]."
return
}
$profileCred = Get-AWSCredential -ProfileName $Profile
if ( $null -eq $profileCred ) {
Write-Error "$logLead : Unable to locate the profile named [$Profile]. Check your configuration per [$helpUrl]."
return
} elseif ( [string]::IsNullOrEmpty( $profileCred.RoleArn ) ) {
Write-Error "$logLead : Unable to locate the role ARN for [$Profile]. Check your configuration per [$helpUrl]."
return
} elseif ( [string]::IsNullOrEmpty( $profileCred.Options.MfaSerialNumber ) ) {
Write-Error "$logLead : Unable to locate the MFA serial number for [$Profile]. Check your configuration per [$helpUrl]."
return
}
if ( $false -eq $PSBoundParameters.ContainsKey( 'MfaCode' ) ) {
$MfaCode = Read-Host -Prompt "Enter MFA code to assume role [$($profileCred.RoleArn)]"
}
$assumedCred = (Use-STSRole -RoleArn $profileCred.RoleArn -SerialNumber $profileCred.Options.MfaSerialNumber `
-RoleSessionName $tempProfile -TokenCode $MfaCode -DurationInSeconds $SessionDurationSeconds).Credentials
if ( $null -eq $assumedCred ) {
Write-Error "$logLead : Unable to assume role [$($profileCred.RoleArn)]. Check your MFA code and retry."
return
} elseif ( [string]::IsNullOrEmpty( $assumedCred.AccessKeyId ) ) {
Write-Error "$logLead : No access key provided by [$($profileCred.RoleArn)] credential."
return
} elseif ( [string]::IsNullOrEmpty( $assumedCred.SecretAccessKey ) ) {
Write-Error "$logLead : No secret access key provided by [$($profileCred.RoleArn)] credential."
return
} elseif ( [string]::IsNullOrEmpty( $assumedCred.SessionToken ) ) {
Write-Error "$logLead : No session token provided by [$($profileCred.RoleArn)] credential."
return
}
Set-AWSCredential `
-StoreAs $tempProfile `
-ProfileLocation $profileLocation `
-AccessKey $assumedCred.AccessKeyId `
-SecretKey $assumedCred.SecretAccessKey `
-SessionToken $assumedCred.SessionToken
Write-Verbose "$logLead : Updated profile [$tempProfile]."
}
Reference in New Issue View Git Blame Copy Permalink